Systemd is an alternative init system to authentic Sysvinit, which we don’t use in our distro because of its complex structure, incompability with UNIX philosophy and bugs. New bug found in Systemd allow run unit with root privileges. According to article of The Register that bug will cause run commands with root privileges when created unit file with invalid username which starts with numbers. Most situations, Linux usernames are not supposed to begin with numbers, but some modern Linux distributions, like RHEL7 and CentOS, allow this.

Systemd pass over invalid username

As the documentation says, “If systemd encounters an unknown option, it will write a warning log message but continue loading the unit.” But it runs the unit with root privileges instead of rejecting it or run with restricted permissions when defined invalid username as parameter in unit file.

It’s not a critical vulnerability.

Interesting thing is that one of Systemd lead developer Lennart Poettering wasn’t define as bug is this situation. Lot of user and developer thinks that it’s bug and react to careless of Poettering. The article states that there is no critical vulnerability due to the limited attack vector. However, it is foreseen that the unit files can be trouble in the automatically generated configurations.